Analysis
-
max time kernel
128s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 01:28
Behavioral task
behavioral1
Sample
4656610aadf30bdfd1062de4c22d009b.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4656610aadf30bdfd1062de4c22d009b.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
4656610aadf30bdfd1062de4c22d009b.exe
-
Size
12.3MB
-
MD5
4656610aadf30bdfd1062de4c22d009b
-
SHA1
3737f7ca431edd0134ae45f24b1c49a7f63f5010
-
SHA256
9223b760df388cabe90b488a3773a2f4eadea096f53cfee685e0823296fc3ea4
-
SHA512
a3e3c794573fa0536a6261436c3f3738d9c75f0267e23e76a9e2aed798da5d2b67408b192a2676fba9b81e45e4876e6d2ca725799d81c19e6e1276efc1aa5d24
-
SSDEEP
393216:ukExhoUZACJbA5x4jeRnaJo5tV8N45Rkb:ukEfoUZlbA5x4qpaKI4bkb
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1800-1-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect behavioral2/memory/1800-7-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect behavioral2/memory/1800-15-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1800 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1800 4656610aadf30bdfd1062de4c22d009b.exe 1800 4656610aadf30bdfd1062de4c22d009b.exe 1800 4656610aadf30bdfd1062de4c22d009b.exe 1800 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4560 wmic.exe Token: SeSecurityPrivilege 4560 wmic.exe Token: SeTakeOwnershipPrivilege 4560 wmic.exe Token: SeLoadDriverPrivilege 4560 wmic.exe Token: SeSystemProfilePrivilege 4560 wmic.exe Token: SeSystemtimePrivilege 4560 wmic.exe Token: SeProfSingleProcessPrivilege 4560 wmic.exe Token: SeIncBasePriorityPrivilege 4560 wmic.exe Token: SeCreatePagefilePrivilege 4560 wmic.exe Token: SeBackupPrivilege 4560 wmic.exe Token: SeRestorePrivilege 4560 wmic.exe Token: SeShutdownPrivilege 4560 wmic.exe Token: SeDebugPrivilege 4560 wmic.exe Token: SeSystemEnvironmentPrivilege 4560 wmic.exe Token: SeRemoteShutdownPrivilege 4560 wmic.exe Token: SeUndockPrivilege 4560 wmic.exe Token: SeManageVolumePrivilege 4560 wmic.exe Token: 33 4560 wmic.exe Token: 34 4560 wmic.exe Token: 35 4560 wmic.exe Token: 36 4560 wmic.exe Token: SeIncreaseQuotaPrivilege 4560 wmic.exe Token: SeSecurityPrivilege 4560 wmic.exe Token: SeTakeOwnershipPrivilege 4560 wmic.exe Token: SeLoadDriverPrivilege 4560 wmic.exe Token: SeSystemProfilePrivilege 4560 wmic.exe Token: SeSystemtimePrivilege 4560 wmic.exe Token: SeProfSingleProcessPrivilege 4560 wmic.exe Token: SeIncBasePriorityPrivilege 4560 wmic.exe Token: SeCreatePagefilePrivilege 4560 wmic.exe Token: SeBackupPrivilege 4560 wmic.exe Token: SeRestorePrivilege 4560 wmic.exe Token: SeShutdownPrivilege 4560 wmic.exe Token: SeDebugPrivilege 4560 wmic.exe Token: SeSystemEnvironmentPrivilege 4560 wmic.exe Token: SeRemoteShutdownPrivilege 4560 wmic.exe Token: SeUndockPrivilege 4560 wmic.exe Token: SeManageVolumePrivilege 4560 wmic.exe Token: 33 4560 wmic.exe Token: 34 4560 wmic.exe Token: 35 4560 wmic.exe Token: 36 4560 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1800 4656610aadf30bdfd1062de4c22d009b.exe 1800 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1800 wrote to memory of 4560 1800 4656610aadf30bdfd1062de4c22d009b.exe 92 PID 1800 wrote to memory of 4560 1800 4656610aadf30bdfd1062de4c22d009b.exe 92 PID 1800 wrote to memory of 4560 1800 4656610aadf30bdfd1062de4c22d009b.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\4656610aadf30bdfd1062de4c22d009b.exe"C:\Users\Admin\AppData\Local\Temp\4656610aadf30bdfd1062de4c22d009b.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560
-